Internet Protocol Security (IPsec) is a network protocol suite that authenticates and encrypts data packets sent over a network. IPsec operates the Internet Layer (referred to generically as the network layer, or Layer 3) of the Internet Protocol (IP) suite, and can automatically secure applications and data transmitted in IP packets. IPsec uses cryptographic security services to support network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys for use during the session. The IPsec architecture and operational features are specified in a series of Requests for Comments (RFCs) published on line by the Internet Engineering Task Force (IETF), include RFC 4301, RFC 4303, and RFC 4106.
Specific features of IPsec that are used in popular implementations include the following:                Authentication Headers (AH) are added to IPsec packets to provide connectionless data integrity and data origin authentication for IP datagrams, along with protection against replay attacks. The AH contains a 32-bit sequence number and an integrity check value. To protect against replay attacks, the sequence number is never reused in a given Security Association, and when it reaches its maximum value, a new Security Association is negotiated.        Encapsulating Security Payload (ESP) is an encrypted payload format that provides confidentiality, data-origin authentication, connectionless integrity, an anti-replay service, and limited traffic-flow confidentiality. In Tunnel Mode, the entire original IP packet is encapsulated with a new packet header added, and ESP protection is applied to the whole inner IP packet (including the header), while an outer header for network routing remains unprotected.        Security Associations (SA) provide the algorithms and data that are used in deriving and negotiating the parameters necessary for AH and/or ESP operations between a pair of IPsec endpoints. A security association database (SAD) defines the parameters associated with each SA.        
Because IPsec is computation-intensive, some authors have suggested offloading IPsec processing from the host processor to a network interface controller (NIC). For example, U.S. Pat. No. 8,006,297 describes a method and system for combined security protocol and packet filter offload and onload. This patent describes a NIC that includes a security association database (SADB) comprising a plurality of security associations (SAs), a cryptographic offload engine configured to decrypt a packet using one of the plurality of SAs, a security policy database (SPD) comprising a plurality of security policies (SPs) and a plurality of filter policies, and a policy engine configured to determine an admittance of the packet using one of the plurality of SPs from the SPD and apply one of the plurality of filter policies to the packet.
As another example, U.S. Patent Application Publication 2010/0228962 describes offloading cryptographic protection processing of packet data sent according to a security protocol between a first computer and a second computer via a forwarding device. The forwarding device performs a portion of the processing, and forwards the packet data to a third computer, connected to the forwarding device, for other processing. The third computer may support non-standard extensions to the security protocol, such as extensions used in authorizing and establishing a connection over the secure protocol. The third computer sends the results of its processing, such as a cryptographic key, or a detected access control policy, to the forwarding device.